b"                               SOCIAL SECURITY\n                                Office of the Inspector General\n                                       December 7, 2001\n\nThe Honorable Jo Anne B. Barnhart\nCommissioner\n\nDear Ms. Barnhart:\n\nIn November 2000, the President signed the Reports Consolidation Act of 2000, which requires\nInspectors General to provide a summary and assessment of the most serious management and\nperformance challenges facing the agencies and the agencies\xe2\x80\x99 progress in addressing them. This\ndocument responds to the requirement to include this statement in the Fiscal Year (FY) 2001\nSocial Security Performance and Accountability Report.\n\nIn January 2001, we identified the following 10 significant management issues facing the Social\nSecurity Administration (SSA) for FY 2001.\n\n Critical Information Infrastructure           Disability Redesign\n Earnings Suspense File                        Enumeration\n Fraud Risk                                    Government Performance and Results Act\n Identity Theft                                Representative Payees\n Service to the Public                         Systems Security and Controls\n\nIn FY 2001, SSA took action to address these issues, many of which are of a long-term nature and\ndo not lend themselves to quick fixes. Our assessment of the status of these 10 management\nchallenges is enclosed.\n                                                     Sincerely,\n\n\n\n\n                                                   James G. Huse, Jr.\n                                                   Inspector General of Social Security\nEnclosure\n         SOCIAL SECURITY ADMINISTRATION                BALTIMORE MD 21235-0001\n\x0c Inspector General Statement\n             on the\nSocial Security Administration\xe2\x80\x99s\nMajor Management Challenges\n\n\n\n\n       DECEMBER 2001\n\x0c           Critical Information Infrastructure\nAs technology advances and our reliance on technology increases, the need for a strong\ninformation infrastructure becomes more important. Protection of critical information and its\ninfrastructure is an issue that is significant not just to the Agency, but to the entire Government.\nFor example, Presidential Decision Directive (PDD) 63, issued in 1998, requires Federal agencies\nto identify and protect their critical infrastructure and assets. One of the Social Security\nAdministration\xe2\x80\x99s (SSA) most valuable assets is the information it collects and uses to complete its\nmission. SSA is depending on technology to meet the challenges of ever-increasing workloads\nwith fewer resources. A physically and technologically secure Agency information infrastructure\nis a fundamental requirement.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA addresses critical information infrastructure and systems security in a variety of ways. It has\nestablished workgroups to conduct ongoing system reviews, including a Critical Infrastructure\nProtection workgroup that works toward compliance with PDD 63. The workgroup has created\nseveral components throughout SSA to handle systems security.\n\n     Government Information Security Reform Act: The Government Information Security\nReform Act requires each agency to develop and implement an agency-wide information security\nplan for its assets and operations, and requires the agency's Office of Inspector General (OIG) to\ndetermine the efficiency and effectiveness of the overall security program and practices. SSA has\ninitiatives underway in support of key Governmentwide initiatives focused on information\nassurance and data protection. For this mandate, SSA completed an assessment of its security\nprogram using a self-assessment tool provided by the National Institute of Standards and\nTechnology.\n\n     PDDs 63 and 67: PDDs 63 and 67 address the new physical and cyber threats to our national\ninfrastructure. PDD 63 calls for a national level effort to assure the security of increasingly\nvulnerable and interconnected infrastructures of the United States, and provides for a protection\nplan for national assets from both physical and cyber attack. SSA has identified its most critical\nassets and their relationship to other critical functions of Government and private industry. It has\nbegun vulnerability analyses of these most critical assets.\n\nPDD 67 directs all executive agencies to have a viable continuity of operations plan to enable the\nagency to continue essential functions during an emergency. SSA revised PDD-67 plan to reflect\ncurrent Agency priorities, and further actions are planned to permit automated updating and\naccess of information.\n\nAdditionally, SSA is planning to increase its information infrastructure to better meet the\nAmerican public\xe2\x80\x99s expectations and needs. SSA is building an Internet infrastructure to allow its\nusers and business partners to enter information about life events directly into its programmatic\n\x0csystems, rather than calling or visiting a teleservice center or field office (FO) and having SSA\nemployees enter the data. SSA expects to make the conversion to this new architecture within the\nnext 2 years.\n\nSSA Needs to Continue to Address this Challenge\nSSA has taken steps to strengthen its critical information infrastructure, however, further action is\nneeded to protect the systems and information SSA is charged with managing and protecting.\n\nExposures exist primarily because SSA has not completed implementation of its enterprise-wide\nsecurity program. Until a complete security framework is implemented and maintained, SSA\xe2\x80\x99s\nability to mitigate effectively the risk of unauthorized access to, and/or modification or disclosure\nof, sensitive SSA information will be impaired. Unauthorized access to sensitive data can result\nin the loss of data, loss of trust fund assets, and/or compromised privacy of information associated\nwith SSA\xe2\x80\x99s enumeration, earnings, and benefit payment processes and programs. The need for a\nstrong security framework to address threats to the security and integrity of SSA operations will\ncontinue to grow as SSA implements Internet and Web-based applications.\n\nWe have recommended SSA continue its efforts to fully implement the information security\nframework by:\n\xe2\x80\xa2 Assigning specific resources to complete the full information security framework, with prior-\n    ity given to implementation, enforcement, and monitoring of technical security standards;\n\xe2\x80\xa2 Fully implementing technical security configuration standards;\n\xe2\x80\xa2 Establishing a process to determine that configuration standards remain consistently enforced;\n\xe2\x80\xa2 Establishing and enforcing effective procedures for monitoring security violations, periodic\n    review of access assignments, and firewall log reviews; and\n\xe2\x80\xa2 Consistently enforcing policies and procedures for physical access to information resources\n    based on the concept of access required to perform assigned job responsibilities.\nThe continuing expansion of SSA\xe2\x80\x99s information infrastructure is an essential part of SSA\xe2\x80\x99s plans\nto meet its future workloads. However, expansion of the critical information infrastructure must\nbe implemented in a balanced manner. SSA must continue to ensure that its critical information\ninfrastructure is secure as it expands to better meet the demands of the American public and an\never-increasing workload.\n\x0c                            Disability Redesign\nSSA\xe2\x80\x99s initiatives to redesign its disability determination process have not resulted in significant\nimprovements. SSA administers two programs providing benefits based on disability: Disability\nInsurance (DI) and Supplemental Security Income (SSI). Most disability claims are initially\nprocessed through Social Security FOs and State Disability Determination Services (DDS).\nSSA\xe2\x80\x99s FO staff are responsible for obtaining applications for disability benefits and verifying non-\nmedical eligibility requirements, which may include age, employment, or marital status\ninformation. The FO sends the case to a DDS for a disability evaluation. DDSs are State\nagencies fully funded by SSA responsible for developing medical evidence and rendering the\ninitial determination on whether the claimant is legally disabled or blind. In Fiscal Year (FY)\n2001, some 2,166,623 initial disability claims were processed, and the average processing time\nwas 106 days.1\n\nIf a claimant is not satisfied with a DDS decision, the individual may file an appeal. The Office of\nHearings and Appeals (OHA) is responsible for holding hearings and issuing decisions at two\ndistinct stages in SSA\xe2\x80\x99s appeals process\xe2\x80\x94in hearing offices and at the Appeals Council.\nAdministrative Law Judges (ALJ) hold hearings and issue decisions in hearing offices\nnationwide. In FY 2001, hearing offices disposed of 465,228 cases, and the average time a\nclaimant waited for a decision on an appeal was 308 days.2 The Appeals Council is the final level\nof administrative review for claims filed under SSA\xe2\x80\x99s disability programs. The Appeals Council\nreviews ALJ decisions and dismissals upon the claimant\xe2\x80\x99s request for review. In FY 2001, the\nAppeals Council disposed of 115,589 cases.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has tested several improvements to the disability claims process as a result of concerns about\nthe timeliness and quality of its service. SSA\xe2\x80\x99s Disability Redesign plan combines initiatives that\nhave been tested and piloted over the last few years and includes all levels of eligibility\ndeterminations beginning with State DDSs and continuing through the hearings and appeals\nprocesses.\n\nThe Disability Redesign plan was originally issued in September 1994, but SSA has revised its\nplans several times to accommodate changes in the improvement initiatives. SSA\xe2\x80\x99s updated plan\nentitled, Social Security and Supplemental Security Income Disability Programs: Managing for\nToday Planning for Tomorrow, was issued on March 12, 1999. The updated plan had four broad\ngoals: Improve the Disability Adjudication Process; Enhance Beneficiaries\xe2\x80\x99 Opportunities to\nWork; Safeguard the Integrity of Disability Programs; and Improve the Knowledge Base for the\nNext Century.\n\n   1. In FY 2000, the average processing time was 102 days.\n   2. In FY 2000, a claimant waited 297 days for a decision on an appeal.\n\x0cTo date, SSA\xe2\x80\x99s initiatives have not resulted in significant improvements to the disability\ndetermination process.\n\xe2\x80\xa2 As of May 2, 2001, decisions about the expansion of a prototype initiative at additional DDSs\n    were delayed. Preliminary data from the prototypes raised questions about the program costs\n    of national implementation.\n\xe2\x80\xa2 On October 22, 2001, the Disability Claim Manager (DCM) initiative was cancelled. The\n    DCM test results showed that case-processing costs increased and more resources would be\n    needed to support a blended Federal/State process.\n\xe2\x80\xa2 A plan for a new quality assurance (QA) system has not been developed. In reviewing SSA's\n    QA system, a contractor informed SSA that modifying the system would not move SSA\n    toward its quality improvement goals. Instead, SSA should adopt an advanced quality man-\n    agement system. In July 2001, the Acting Commissioner appointed a senior-level steering\n    committee to develop recommendations for a new quality process. The results of the commit-\n    tee's work have not been released.\n\xe2\x80\xa2 The Hearings Process Improvement (HPI) initiative has not resulted in the planned improve-\n    ments in OHA productivity and processing times.\n\n\nSSA Needs to Continue to Address this Challenge\n\nSSA needs to continue to improve the disability process. While it created a framework to address\nweaknesses in the disability process, it continues to fall short of most of its established disability-\nrelated performance goals. SSA did not meet 10 of 14 disability-related performance goals\ncontained in SSA\xe2\x80\x99s FY 2001 performance report. Particularly troublesome is the hearings and\nappeals process. SSA did not meet any of its goals related to the hearings and appeals process,\nand often failed to get within 5 percent of its goals in this area. The disability process continues to\nbe a serious concern given the level of resources SSA has devoted to its disability process\nimprovement initiatives and the lack of substantial improvement to date.\n\nDuring FY 2001, we obtained and evaluated employee assessments of the results of OHA\xe2\x80\x99s\nimplementation of Phase 1 of the HPI plan. Our evaluation identified areas that SSA needed to\nimprove during full implementation of the HPI plan. These areas included staffing, training, and\nALJ instructions. Improvements were also needed in the staff's perception of quality of service,\nprocessing efficiency, and job satisfaction. Additionally, we found that the current medical\nevidence collection process accounts for a considerable portion of overall disability claims\nprocessing times. We calculated the time it took 8 DDSs to receive 663,293 medical evidence of\nrecord folders (MER) from claimant treating sources during FY 1998. For 35 percent of the\nMERs, the DDSs waited more than 30 days to receive them. Delays in receiving MERs from\ntreating sources resulted in SSA paying over $1 million for MERs that were not received by these\nDDSs until after the disability decision was made. We made recommendations for SSA to\nimprove DDS medical collection processes.\n\x0c                       Earnings Suspense File\nSSA\xe2\x80\x99s Earnings Suspense File (ESF) represents a major management challenge because its size\nand rate of growth may impact the calculations of beneficiaries' benefits, adds administrative\ncosts, and represents a sizeable portion of nationwide Social Security number (SSN) misuse.\n\nThe ESF primarily consists of reported earnings that are put into suspense because the name/SSN\ncombination does not match validation criteria within SSA\xe2\x80\x99s systems. Although SSA has reported\nit correctly posts over 99 percent of all wages received, those wages that cannot be posted to\nearners' accounts continue to accumulate in the ESF. Between Tax Years 1937 and 1999, the ESF\ngrew to about $333 billion in wages representing approximately 227 million wage items. Each\nyear, SSA receives about 21 million wage items that have an invalid name and SSN combination,\nand, through extensive computer matches and manual efforts, this number is reduced to about\n6.5 million items, annually. However, further efforts to resolve invalid wage items can take years.\n\nThe integrity of SSA\xe2\x80\x99s process for posting workers\xe2\x80\x99 earnings is critical to ensuring eligible\nindividuals receive the full retirement, survivor, and/or disability benefits due them. If earnings\ninformation is reported incorrectly, or not reported at all, SSA cannot ensure that all eligible\nindividuals are receiving the correct payment amounts.\n\nFinally, the ESF is indicative of a nationwide problem of potential fraud and misuse that not only\naffects SSA programs but crosses over to other Federal entities such as the Internal Revenue\nService (IRS) and the Immigration and Naturalization Service (INS). The IRS uses Wage W-2s to\nenforce tax laws and can penalize employers and employees for providing incorrect information.\nThe INS has oversight responsibility for unauthorized noncitizens. The Immigration Reform and\nControl Act of 1986 made it illegal for employers to knowingly hire or continue to employ\nunauthorized noncitizens. Employers must request newly hired employees to present documents\nthat establish their identity and eligibility to work.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA developed Key Initiatives within its annual performance plan containing an overall strategy\nand several individual projects designed to reduce the ESF\xe2\x80\x99s size and rate of growth. For\nexample, SSA plans to expand the use of the voluntary Employee Verification Service (EVS) to\nassist employers in verifying new hire names/SSNs. Under the Key Initiatives, SSA is also\nevaluating the results of two pilot projects that used the data bases of other Federal agencies to\nassist employers in verifying employees\xe2\x80\x99 names/SSNs. However, the success of many of these\nprojects and pilots depends on the collaboration with and support from other agencies, such as the\nIRS, the INS, and the Office of Child Support Enforcement (OCSE).\n\x0cSSA also hired a national accounting firm to review the ESF and provide recommendations and\nalternatives for management of this file. The contractor provided the final report to SSA in July\n2001. The Agency is currently considering the recommendations made in the report.\n\nSSA has developed other processes to validate the earnings data in the Master Earnings File\n(MEF). In recent years, SSA started mailing Social Security statements to individuals who had\nearnings and were age 25 or older. In FY 2001, SSA mailed 137 million of these statements.\nHowever, over 7 million were returned to SSA as undeliverable. If an individual contacts SSA\nabout missing earnings, these amounts are either reinstated from the ESF to the MEF, if they are\ncurrently in suspense, or added as new earnings to the MEF.\n\nSSA Needs to Continue to Address this Challenge\n\nWe commend SSA for its ESF Key Initiatives, but the changes called for in the Initiative are long-\nterm, and several factors, both internal and external to SSA, hinder the efforts with the most\npotential to reduce the ESF\xe2\x80\x99s size and growth. Some of the internal factors include a higher\npriority placed on other automated system developments and the fact that SSA has not linked\navailable information in its data base to identify chronic \xe2\x80\x9cproblem\xe2\x80\x9d employers who continually\nsubmit annual wage reports with multiple errors. External factors include other Federal agencies\nwith separate yet related mandates, such as the IRS' failure to sanction employers for submitting\ninvalid wage data and the INS' complicated employer procedures for verification of eligible\nemployees.\n\nRecent OIG reviews have found SSA needs to improve communications with employers and\nenforce existing regulations if it expects to improve the accuracy of reported wages. For example,\nin a recent review, we found a chronic problem employer was not familiar with SSA's verification\nprograms that could have prevented as much as 76 percent of the employer's wages from entering\nthe ESF. In another audit, we found that SSA did not maintain sufficient controls over the wage\nreporting process to ensure employers were submitting quality earnings data. The audit noted that\n285 employers submitted wage reports that failed SSA's wage reporting accuracy threshold 3\nyears in a row without SSA taking any action, even though more than $8.5 million in IRS\npenalties could have been assessed.\n\x0c                                   Enumeration\nEnumeration, the process of assigning SSNs to U.S. workers and Social Security beneficiaries, is\na major management challenge since it is one of the key elements SSA employs to effectively\nadminister the Nation\xe2\x80\x99s Social Security system. The enumeration process also includes issuing\nreplacement cards to people with existing SSNs and verifying SSNs for employers and other\nFederal agencies. In FY 2001, SSA issued over 18 million original and replacement SSN cards.\n\nThe magnitude of SSA\xe2\x80\x99s enumeration area and the importance placed on SSNs provides a\ntempting motive for unscrupulous individuals to fraudulently acquire an SSN and use it for illegal\npurposes. To effectively combat these criminals and reduce the occurrences of fraudulent SSN\nattainment, SSA must employ effective front-end controls in its enumeration process.\n\nSSA Has Taken Steps to Address this Challenge\n\nSome of the Agency\xe2\x80\x99s current and planned initiatives include the following:\n\xe2\x80\xa2 SSA, INS and the Department of State are working on agreements that will enable INS and\n   the Department of State to collect enumeration data from aliens entering the United States.\n\xe2\x80\xa2 SSA implemented an enhancement to the Comprehensive Integrity Review Program (CIRP).\n   CIRP is a business function used to deter and/or identify fraud by selecting fraud prone\n   transactions for review on a regular basis. The enhancement to CIRP entailed automating a\n   process to identify instances in which five or more SSN cards are sent to the same address\n   within a 5-week period.\n\xe2\x80\xa2 SSA is working with States through the National Association of Public Health Statistics and\n   Information Systems to allow FOs on-line access to State vital records data. Once\n   implemented, FOs will be able to verify all U.S. birth certificates presented in support of SSN\n   applications.\n\xe2\x80\xa2 SSA established a workgroup to identify enhancements that could be made in the Modernized\n   Enumeration System to address certain fraud-prone situations.\n\n\nSSA Needs to Continue to Address this Challenge\n\nThe September 11th terrorist attacks have only highlighted the importance of having a secure and\nefficient enumeration process. Before the attacks, we made several recommendations to address a\nvariety of enumeration weaknesses. We believe these recommendations are still relevant today\nand will help to make the enumeration process more secure. Specifically, we recommended SSA:\n\n\xe2\x80\xa2   Obtain independent verification from the issuing agency (for example, INS and State\n    Department) for all evidentiary documents submitted by noncitizens before issuing an original\n    SSN;\n\x0c\xe2\x80\xa2   Establish a reasonable threshold for the number of replacement SSN cards an individual may\n    obtain during a year and over a lifetime;\n\xe2\x80\xa2   Educate SSA staff about counterfeit documents; and\n\xe2\x80\xa2   Continue public policy discussions through interaction with the Departments of Justice and\n    Treasury as well as the Federal Trade Commission.\nAdditionally, as we reported to Congress, we believe Congress and SSA should consider the\nfollowing steps:\n\xe2\x80\xa2   Increase the number of investigative and enforcement resources provided for SSN misuse\n    cases;\n\xe2\x80\xa2   Expand the Agency\xe2\x80\x99s data matching activities with other Federal, State, and local Government\n    entities; and\n\xe2\x80\xa2   Explore the use of other innovative technologies such as biometrics in the enumeration\n    process.\nSince the events of September 11th, SSA created the Enumeration Response Team to develop\nproposals to strengthen the enumeration process. The OIG is a partner on the Response Team. As\na result of the team's work, the Acting Commissioner approved the following seven\nrecommendations:\n\xe2\x80\xa2   Provide refresher training on enumeration policy and procedures, with emphasis on\n    enumerating noncitizens, for all involved staff;\n\xe2\x80\xa2   Convene a joint task force between SSA, INS, the Department of State and the Office of\n    Refugee Resettlement to work out procedures for verifying noncitizen documentation;\n\xe2\x80\xa2   Eliminate driver\xe2\x80\x99s licenses as a reason for a nonwork SSNs to be implemented through the\n    Program Operations Manual System (POMS);\n\xe2\x80\xa2   Provide an alternative to giving out Numident printouts for SSN verification. The Numident\n    contains much of the information needed to establish credit or to get other \xe2\x80\x9cbreeder\xe2\x80\x9d\n    documents to perpetrate identity theft;\n\xe2\x80\xa2   Conduct a mandatory interview for applicants over the age of 12 applying for an original card\n    and require evidence of identity for all children, regardless of age;\n\xe2\x80\xa2   Expedite implementation of a pilot to photocopy or scan all documentary evidence submitted\n    with the Form SS-5 applications; and\n\xe2\x80\xa2   Change the Modernized Enumeration System to provide an electronic audit trail, regardless of\n    the mode used to process the Forms SS-5.\nImplementation of these recommendations and continued vigilance in this area is absolutely\nnecessary to ensure the integrity of the enumeration process. We understand the Agency has a\ndifficult task in balancing service and security. However, we believe the Agency has a duty to the\nAmerican public to safeguard the integrity of the enumeration process.\n\x0c                                     Fraud Risk\nFraud risk is a major management challenge since it drains needed resources away from SSA\xe2\x80\x99s\nprograms and beneficiaries, and attacks the very credibility of SSA\xe2\x80\x99s programs. As SSA\xe2\x80\x99s\npayments to beneficiaries approach half a trillion dollars annually, its exposure to fraud increases\nproportionately. Many unscrupulous individuals target SSA\xe2\x80\x99s programs to secure funds for their\nown personal gain. Fraud is an inherent risk in all of SSA\xe2\x80\x99s core business processes:\nenumeration, earnings, claims, and post-entitlement. All of these processes include\nvulnerabilities that provide individuals the opportunity to defraud third parties, SSA, and/or SSA\xe2\x80\x99s\nbeneficiaries and recipients. Our focus on fraud risk is based on program eligibility factors that\nindividuals misrepresent to attain or maintain eligibility.\n\nExamples of the eligibility factors under the Old-Age, Survivors and Disability Insurance\n(OASDI) program include family relationships and, for surviving spouses under age 60, children\nin-care. SSA\xe2\x80\x99s difficulties in monitoring eligibility factors for SSI recipients is a key reason the\nSSI program has remained on the General Accounting Office\xe2\x80\x99s (GAO) list of \xe2\x80\x9chigh-risk\xe2\x80\x9d Federal\nprograms since 1997. Because the SSI program is means-based, it includes eligibility factors that\ntend to be more difficult for SSA to verify and monitor. These include income, resources, living\narrangements, U.S. residency, and deemed income. While SSA is addressing the factors affecting\nthe complexity of the SSI program, the Agency still relies on self-reporting of income, living\narrangements and medical improvement in determining whether an individual is eligible for SSI\npayments. Other key risk factors common to both programs are the detection of beneficiary\ndeaths and the monitoring of medical improvements for disabled beneficiaries.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has taken an active role in addressing the integrity of the OASDI and SSI programs through\nits \xe2\x80\x9czero tolerance for fraud\xe2\x80\x9d initiative. Key projects under this initiative include Prisoners,\nFugitive Felons, and Electronic Death Registration. Additionally, through its Access to State\nRecords On-line program, SSA has obtained on-line query access to selected records in\n69 agencies in 42 States. SSA has also implemented a program for FO staff to identify recipient\nincome before awarding SSI payments. This program provides FO staff with direct access to\nOCSE data bases related to wages, new hires, and unemployment insurance.\n\nIn addition to these new initiatives to address program fraud, SSA and the OIG continue to\nexpand existing programs. SSA\xe2\x80\x99s Office of Operations and Office of Disability, in conjunction\nwith the OIG, have formed 13 Cooperative Disability Investigation (CDI) teams. To combat\ndisability fraud, these teams rely on the combined skills and specialized knowledge of OIG\ninvestigators, State and local law enforcement officials, and SSA and DDS personnel. During\nFY 2001, CDI teams prevented over $52 million in improper payments.\n\x0cSSA\xe2\x80\x99s efforts to identify and terminate payments to incarcerated beneficiaries and recipients\ncontinue to be fruitful. SSA has agreements with 5,782 correctional facilities that cover over\n99 percent of the inmate population. SSA estimates the suspension of payments to prisoners is\nsaving the OASDI and SSI programs $500 million, annually. Incentive payments under the 1996\nWelfare Reform Act have contributed to that success. From March 1997 through July 2000, SSA\npaid $31.57 million in incentive payments. SSA\xe2\x80\x99s Actuary estimates that cumulative 7-year\nsavings through the year 2001 will be $3.5 billion. Furthermore, a study based on Calendar Year\n1996 data conducted by SSA\xe2\x80\x99s Office of Quality Assurance and Performance Assessment (OQA)\nestimated that 45 percent of prisoner alerts were productive with identification of retroactive\noverpayments totaling $202 million. In addition, OQA found that about $20 million per month in\nincorrect benefit payments were prevented.\n\nSSA Needs to Continue to Address this Challenge\n\nFor SSA to fulfill its role as a steward of public dollars, it is imperative that the universe or\nmagnitude of fraud be identified. For example, the insurance, retail, and banking industries have\nbaselines to estimate potential dollars lost to fraud. A specific and significant fraud risk is the\ndetection of unreported beneficiary and recipient deaths. SSA relies on its Death Alert, Control,\nand Update System (DACUS) to identify unreported deaths from Federal and State data bases\nthrough computer matches. One audit disclosed that about 881 auxiliary beneficiaries were paid\nabout $31 million after their deaths because DACUS could not properly match their records.\nAnother audit found inadequate controls over DACUS and identified 26 individuals who\nappeared to have fraudulently negotiated benefits of $429,779 paid for deceased beneficiaries.\n\nOur audits have disclosed the need for SSA to improve its capability to avoid improper payments\nto fugitive felons. One audit disclosed that, without effective matching of State fugitive files,\nSSA would pay fugitives at least $30 million in SSI payments per year. As of October 2001, SSA\nhad obtained and matched against the SSI benefit rolls fugitive data files from a number of States,\nthe National Crime Information Center, and the U.S. Marshals Service.\n\nOur investigative efforts to administer the Fugitive Felon Program since August 1, 1996 have\nidentified 45,071 fugitives who were overpaid more than $81.6 million. Of the 45,071 fugitives,\n5,019 were arrested, and we estimated the related savings to be about $133 million for the SSI\nprogram. While SSA has made progress in obtaining fugitive data, much more work remains in\nthis area.\n\nAnother audit recommended that SSA pursue legislation to prohibit the payment of OASDI\nbenefits to fugitives. We estimated that fugitives would receive at least $39 million in OASDI\nbenefits annually unless legislation is enacted to prohibit these payments. While SSA agreed to\npursue this legislation, it was not included in SSA\xe2\x80\x99s FY 2003 legislative package sent to Congress.\n\x0c   Government Performance and Results Act\nThe Government Performance and Results Act of 1993 (GPRA) established a system of strategic\nplanning and performance measurement across the Federal Government. GPRA calls for Federal\nagencies to develop 5-year strategic plans, annual performance plans and annual performance\nreports. While SSA has made strides toward improving its performance measures, SSA can\nfurther strengthen its use of performance information by fully documenting the methods and data\nused to measure performance, and by improving the data sources that appear to be unreliable.\n\nPresident Bush has placed great emphasis on the management and performance of Federal\nagencies. Through the Office of Management and Budget (OMB), the President has outlined\nGovernmentwide management reforms and specific priority management issues for SSA to\naddress. The Governmentwide reforms are budget and performance integration, strategic\nmanagement of human capital, competitive sourcing, improved financial performance, and\nexpanding electronic Government. The specific priority management issues that OMB outlined\nfor SSA to address are the implementation of the Ticket-to-Work program, disability process\nredesign, and an updating of the disability medical listings. OMB also called for specific\nperformance measures to be included within SSA\xe2\x80\x99s FY 2003 budget, including measures on\ndisability claims processing costs, retirement claims processing costs, disability claims processing\ntimes, and amounts of improper payments paid to beneficiaries each year.\n\nRecognizing the importance of GPRA and the results-oriented management it mandates, we\ndeveloped a work plan to review SSA\xe2\x80\x99s implementation of GPRA. Our work has focused on two\nissues that are critical to the success of SSA\xe2\x80\x99s efforts to manage for results; determining the\nreliability of SSA\xe2\x80\x99s performance data and ensuring SSA\xe2\x80\x99s implementation of GPRA is in\naccordance with its requirements.\n\nSSA Has Taken Steps to Address this Challenge\n\nIn response to GPRA, SSA also developed strategic plans, annual performance plans, and annual\nperformance reports. Its most recent performance report for FY 2001 is included within SSA's\nPerformance and Accountability Report. The FY 2001 performance plan and report are organized\nby SSA\xe2\x80\x99s five strategic goals, for which SSA describes the activities performed in support of each\ngoal. There are 17 strategic objectives and 2 categories of output measures for major budgeted\nworkloads supporting the 5 strategic goals. Under the objectives and categories, there are\n71 specific performance indicators. SSA provides a general rationale, baseline performance\ninformation, data sources, and background information for each indicator.\n\nTo date, SSA has released multiple annual performance plans and reports. It has continually\nupdated its annual performance plans, taking in to consideration changing priorities and\nworkloads, as well as recommendations from the OIG and GAO.\n\x0cSSA Needs to Continue to Address this Challenge\n\nOur performance reviews over the last few years have found most of SSA\xe2\x80\x99s data to be reliable.\nWe have, however, found that SSA often lacks documentation of the methods and data used to\nmeasure its performance. Despite these deficiencies for most measures, we were able to\nreproduce or obtain enough of the needed documentation to support our conclusions.\n\nIn some cases, the lack of documentation was significant and did not allow us to conclude on the\nquality of SSA\xe2\x80\x99s performance data. In FY 2001, we could not conclude on the reliability of the\ndata, due to a lack of required documentation, for 6 of the 15 performance measures we reviewed.\n\nOther reviews concluded that some data sources did not provide a reliable assessment of\nperformance of the program being measured. We found the data for 5 of the 15 performance\nmeasures we reviewed in FY 2001 to be unreliable.\n\nGPRA provides a framework by which SSA management can strategically plan and manage to\nmeet its mission. SSA has made a commitment to use GPRA to develop plans and strategies that\nhelp it strategically manage and meet its mission. Our work has found that SSA can further\nstrengthen its use of GPRA in its management through additional improvements to its\nperformance plans and reports, by fully documenting the methods and data used to measure\nperformance, and by working to improve the data sources where we found such sources to be\nunreliable estimates of performance.\n\x0c                                    Identity Theft\nOne of the fastest growing areas of concern for SSA and the OIG is the misuse of SSNs to commit\ncrimes, particularly in the area of identity theft. In most cases, identity theft begins with the\nmisuse of an SSN, and, while the ability to punish identity theft is important, the ability to prevent\nit is even more critical.\n\nThe public\xe2\x80\x99s growing concern with SSN misuse and identity theft is reflected in the large number\nof allegations our Fraud Hotline receives annually. In FY 2001, over 56 percent of the\n115,101 allegations received involved SSN misuse and/or identity theft. The growth of these\nnumbers is only limited by our capacity to answer the calls. We believe identity theft is a\nsignificant problem, and it is growing. We anticipate the complaints will increase unless SSA and\nCongress take firm actions to regulate the uses of SSNs.\n\nIdentity theft was already a significant problem facing law enforcement, the financial industry,\nand the American public before September 11th. In the weeks since that terrible day, it has\nbecome increasingly apparent that improperly obtained SSNs were a factor in the terrorists\xe2\x80\x99\nability to assimilate themselves into our society while they planned their attacks. While this has\nheightened the urgency of the need for Congress, SSA, and the OIG to take additional steps to\nprotect the integrity of the SSN, it has not altered the nature of the steps that must be taken.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA employs a number of methods to combat identity theft. Specifically, SSA protects the\nprivacy of the American public by using personal identifying information for Social Security\npurposes only\xe2\x80\x94SSA does not give, sell, or transfer personal information to third parties. To\nassist in the prevention of invalid SSN use in the workplace, SSA provides a mechanism through\nwhich States and employers can verify SSNs provided by employees. SSA has also provided\ntraining to its FO employees on how they can best advise the public on how to prevent identity\ntheft as well as helping victims resolve their problems. To detect, identify, and deter potential\nemployee and client fraud within the Social Security programs, SSA uses its CIRP. CIRP is a\nbusiness function used to deter and/or identify fraud by selecting fraud prone transactions for\nreview on a regular basis. High-risk transactions are selected for review based upon selection\ncriteria designed to identify transactions that have the highest fraud potential. Additionally, SSA\nhas entered into partnerships with other agencies, such as the Federal Trade Commission, to fight\nidentity crimes.\n\nSSA Needs to Continue to Address this Challenge\n\nTo successfully address identity theft, we believe SSA must focus on three stages of protection:\nupon issuance of the SSN card, during the life of the SSN holder, and upon that individual\xe2\x80\x99s death.\n\x0cFor example, birth records, immigration records, and other identification documents presented to\nSSA must be independently verified as authentic before SSA issues an SSN. While this may\nsubject the enumeration process to delays, such delays may be necessary to ensure the integrity of\nthe SSN.\n\nProtecting the integrity of an SSN during the life of the SSN holder is a difficult charge. The SSN\nhas become an integral part of every day life, particularly in financial transactions, which makes it\nmore difficult to give the number the degree of privacy it requires. Legislation, and more\nimportantly, coordination between SSA and the financial services industry, can help limit the\nSSN\xe2\x80\x98s public availability to the greatest extent practicable.\n\nFinally, SSA must do more to protect the SSN after the SSN holder\xe2\x80\x99s death. SSA receives death\ninformation from a wide variety of sources and compiles a Death Master File, which is updated\nmonthly and transmitted to various agencies. It is also required to be offered for sale to the public\nand can be accessed over the Internet through a number of sources. Accuracy in this area is\ncritical to SSA in the administration of its programs, to the financial services industry, and to the\nAmerican people. Our audit work has revealed systematic errors in the Death Master File, and we\nhave recommended steps that SSA can take to improve the reliability of this critical data.\n\nThe OIG plays an important role in helping other law enforcement agencies in their\ninvestigations. Because the SSN is such a widely-used means of identification, we are frequently\ncontacted by Federal, State, or local law enforcement agencies seeking to verify that a name and\nSSN match.\n\nUnder existing law, the authority of the Commissioner of Social Security to provide this\ninformation is tenuous at best, and the authority of the Inspector General (IG) to do so is non-\nexistent. We have entered into an agreement with the Commissioner by which the IG can provide\nthis information under limited circumstances, but the authority should be statutory, unconditional,\nand irrevocable. In our current environment, this critical information should be available to law\nenforcement, and we should have the authority and the duty to provide it.\n\nPrivacy safeguards protecting IRS information in the possession of SSA are more restrictive than\nthose protecting other SSA information, and rightly so. However, since the events of September\n11th, there needs to be a mechanism in place so that information can be disclosed to law\nenforcement in emergency situations. Specifically, there should be a provision in law under\nwhich either the Commissioner of SSA (who has possession of the necessary information) or the\nSSA IG (who receives requests from the Federal Bureau of Investigation [FBI] and others) can\nmake the determination that disclosure is necessary, then authorize and make the necessary\ndisclosures to the law enforcement community in an expeditious manner.\n\x0c                        Representative Payees\nSome individuals cannot manage or direct the management of their finances because of their age\nor mental and/or physical impairments. While Representative Payees (Rep Payee) provide a\nvaluable service for beneficiaries, SSA must employ appropriate safeguards to ensure they meet\ntheir responsibilities to the beneficiaries they serve.\n\nCongress granted SSA the authority to appoint Rep Payees to receive and manage these\nbeneficiaries\xe2\x80\x99 payments. A Rep Payee may be an individual or an organization. SSA selects Rep\nPayees for OASDI beneficiaries or SSI recipients when representative payments would serve the\nindividual\xe2\x80\x99s interests. Rep Payees are responsible for using benefits in the beneficiary or\nrecipient\xe2\x80\x99s best interests. There are about 4.2 million Rep Payees who manage approximately\n$45 billion in annual benefit payments for 6.5 million beneficiaries.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has developed a monitoring program for certain Rep Payees. This program consists of:\n\n     Triennial On-site Reviews\xe2\x80\x94On a 3-year cycle, SSA conducts on-site reviews of all fee-for-\nservice Rep Payees, all volume organizational payees (serving over 100 beneficiaries), and all\nindividual payees serving 20 or more beneficiaries.\n\n      Annual Certification\xe2\x80\x94SSA annually verifies that the required license or bond is current for\nall fee-for-service Rep Payees.\n\n    Random Reviews\xe2\x80\x94SSA conducts reviews of a random sample of 30 percent of all volume\norganizational and fee-for-service Rep Payees.\n\n    6-Month Site Visits\xe2\x80\x94SSA visits fee-for-service Rep Payees 6 months after their initial\nappointment as a Rep Payee to ensure they fully understand their duties and responsibilities.\n\n    Quick Response Checks\xe2\x80\x94SSA conducts reviews of organizational Rep Payees as needed in\nresponse to certain \xe2\x80\x9ctrigger\xe2\x80\x9d events, such as third-party reports of misuse, complaints from\nvendors of failure to receive payment, or failure to complete the annual Rep Payee Report.\n\nFinally, SSA has established a Rep Payee Task Force to perform a comprehensive review of the\nfeatures and vulnerabilities of the Rep Payee program. The Task Force is comprised of three\nsubgroups concentrating on monitoring Rep Payees; systems support for the Rep Payee program;\nand bonding and licensing of Rep Payees.\n\x0cSSA Needs to Continue to Address this Challenge\n\nIn FY 2001, we performed six financial-related audits of Rep Payees. Our audits showed that Rep\nPayees did not always meet their responsibilities to the beneficiaries they served. We identified\ndeficiencies with the financial management of, and accounting for, benefit receipts and\ndisbursements; vulnerabilities in the safeguarding of beneficiary payments; poor monitoring and\nreporting to SSA of changes in beneficiary circumstances; and inappropriate handling of\nconserved funds.\n\nWe continue to identify problems with SSA\xe2\x80\x99s oversight of Rep Payees. For example, in March\n2001, we alerted SSA to a condition whereby individuals were serving as Rep Payees who also\nhad a Rep Payee to manage their own Social Security benefits. SSA subsequently identified\napproximately 3,800 instances where this had occurred.\n\nMuch is left for SSA to do to address the vulnerabilities and weaknesses in the Rep Payee\nprogram. This work includes the following:\n\n    Selection of Rep Payees\xe2\x80\x94SSA has not determined how it will stop the selection of those Rep\nPayees who are most likely to commit misuse. Currently, SSA does not perform background\nchecks of Rep Payees to determine whether they have financial problems, bad credit, or have been\nconvicted of a felony. However, SSA has issued a contract to research options for criminal and\nfinancial background checks.\n\n     Rep Payee System\xe2\x80\x94SSA is working to correct a number of system weaknesses we previously\nidentified. Our findings in this area include:\n\xe2\x80\xa2 SSA\xe2\x80\x99s systems do not effectively track Rep Payees who do not respond to and complete Rep\n    Payee Reports.\n\xe2\x80\xa2 SSA cannot always locate and retrieve completed Rep Payee Reports when needed.\n\xe2\x80\xa2 SSA\xe2\x80\x99s systems do not include information on all Rep Payees, and beneficiaries who have Rep\n    Payees, as required by law.\n\n    Bonding and Licensing of Rep Payees\xe2\x80\x94SSA\xe2\x80\x99s policy specifies neither the amount of bond\nnecessary to adequately protect beneficiaries nor the type or nature of licenses that are required.\nTo date, SSA has not made any revisions to its policy to address these vulnerabilities.\n\n     Stored Value Cards3\xef\xa3\xa7We are exploring the use of Stored Value Cards (SVC) to help ensure\nthe proper management of beneficiaries\xe2\x80\x99 funds. SSA may be able to employ the use of SVCs to\nbetter monitor its Rep Payees and reduce the administrative costs related to mailing, processing\nand storing annual Rep Payee Reports.\n\n   3. An SVC is a prepaid spending card that can be used everywhere a credit card is accepted.\n      SVCs do not have a line of credit and can be used to make automated teller machine\n      withdrawals.\n\x0c                           Service to the Public\nSSA is committed to providing responsive, world-class service. Providing quality service\nremains a critical management issue facing SSA, and SSA recognizes there are significant service\ndelivery problems that need attention. SSA\xe2\x80\x99s workloads will continue to increase as \xe2\x80\x9cbaby\nboomers\xe2\x80\x9d reach retirement age, challenging SSA to keep pace. As the Social Security Advisory\nBoard reported, the result has been, and will continue to be, uneven service. Persons filing for\nretirement or survivor benefits are likely to be satisfied with the service provided. However,\nindividuals with complicated cases, such as DI or SSI, may encounter problems. As workloads\nincrease, the dimensions of SSA\xe2\x80\x99s problems can be expected to grow. If left unattended, the\npublic will be faced with crowded reception areas, long waiting times, inadequate telephone\nservice, and reduced quality of work.\n\n\nSSA Has Taken Steps to Address this Challenge\nSSA has developed a long-term Service Vision to describe its 10-year plan. The Vision is based on\nthe premise that the convergence of the forecasted trends will provide SSA with the opportunity to\n(1) reshape its business processes, (2) reform its management of human capital and technology,\nand (3) deliver the service the American public demands. SSA plans to allow individuals to have\naccess to one-stop shopping with single-points-of-entry to high quality Government services.\nBusiness partners that use SSA\xe2\x80\x99s earnings reporting process will switch from paper and magnetic\ntape reporting to Internet reporting, reducing their costs as well as SSA\xe2\x80\x99s. SSA plans on sharing\ninformation with Federal and State Government partners to serve the American public better.\nAdditionally, SSA will rely on e-government solutions to increase its productivity and allow it to\nbridge the resource gap that will be created by the expected explosive growth in its workloads.\n\nSSA Needs to Continue to Address this Challenge\n\nWhile SSA met or came close to all of its goals related to its service, it will need to maintain\nexisting service levels while exploring new and innovative ways to address service delivery\nproblems. To accomplish this, SSA must recruit and retain a cadre of highly skilled employees.\nHowever, even at current staffing levels, SSA finds it difficult to maintain an acceptable level of\nservice especially in its most complicated workloads. To make matters worse, SSA is facing an\nunusual wave of management and staff retirements. At the same time, the Agency may find it\ndifficult to replace employee losses as the Nation\xe2\x80\x99s labor force of people between the ages of 25 to\n44 is expected to shrink. If predicted shortages in human capital are realized, SSA may not be\nable to strengthen and revitalize future employee ranks as its workloads continue to grow in\nvolume and complexity. Increasing workloads coupled with human capital shortages will further\nstress SSA\xe2\x80\x99s ability to provide quality service to the public.\n\x0cIn January 2001, GAO designated strategic human capital management as a high-risk,\nGovernment-wide issue needing immediate attention. This issue involves four pervasive Federal\nagency human capital challenges:\n\n    Acquisition and development of staffs whose size, skills, and deployment meet agency\nneeds\xe2\x80\x94ensuring current and future human capital needs are identified and gaps are filled through\nsuch efforts as effective recruiting, training, and contracting.\n\n    Leadership continuity and succession planning\xe2\x80\x94ensuring there are qualified people\navailable to assume top leadership positions before they become available.\n\n     Strategic human capital planning and organizational alignment\xe2\x80\x94ensuring human capital\nstrategies support strategic and program goals so an agency\xe2\x80\x99s mission, vision, and objectives are\nrealized.\n\n    Creation of results-oriented organizational cultures\xe2\x80\x94ensuring staff is empowered and\nmotivated in conjunction with workplace accountability.\n\nOIG and GAO have identified specific SSA human capital challenges and vulnerabilities that\nimpact the Agency\xe2\x80\x99s ability to meet projected service delivery needs. These include:\n\n     Increasing demands for services\xe2\x80\x94Beginning around 2008, the 76 million \xe2\x80\x9cbaby boomers\xe2\x80\x9d\nwill begin to move into their disability-prone years and begin to retire. SSA anticipates that by\n2010, applications for DI will increase by as much as 54 percent over 1999 levels and applications\nfor retirement benefits by 20 percent over 1999 levels. A large proportion of retirees is expected\nto be non-English speaking. Also, many disability cases are expected to be mental-related\nimpairments. Demands for the way services will be delivered are also expected to change, with\ncitizens wanting different modes of accessibility, for example, using the Internet and \xe2\x80\x9cone-stop\nshopping\xe2\x80\x9d to access services and programs through one interaction with the Government.\n\n    Retirement of a substantial portion of SSA\xe2\x80\x99s workforce\xe2\x80\x94SSA workforce retirements will peak\nbetween 2007 and 2009 with about 3,000 employees retiring per year. For example, over 80\npercent of SSA\xe2\x80\x99s upper-level managers and executives will be eligible to retire by 2010.\n\n    Mixed success in past technological investments\xe2\x80\x94To address anticipated increased workload\ndemands, SSA plans to rely heavily on information technology. However, according to the OIG\nand GAO, some of the Agency\xe2\x80\x99s past experiences have shown mixed success.\n\n    Ensuring funds are available to support human capital management efforts\xe2\x80\x94SSA must\nensure that its future budget request are adequate to address its human capital needs for the future.\n\x0c                Systems Security and Controls\nThe importance of computer system security increases as opportunities for users to disrupt critical\nsystems, modify key processes, and read or copy sensitive data increases. Strong systems security\nand controls are needed to prevent access to confidential information and critical systems and the\nfraudulent use of SSA data. SSA continues to address systems vulnerabilities that could lead to\nunauthorized access or sabotage. Many of these vulnerabilities have been identified during the\nannual audit of SSA\xe2\x80\x99s financial statements, which have included reviews of SSA\xe2\x80\x99s systems\nsecurity and controls.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has taken steps to strengthen its system security and controls. Its security program has a\nnumber of key components created to help protect its systems:\n\n\xe2\x80\xa2   SSA uses an access control package to enforce its policies of separation of duties. The\n    package also includes an authentication process that users must complete prior to accessing\n    SSA systems;\n\xe2\x80\xa2   SSA continues to enhance its CIRP, which is a business function used to deter and/or identify\n    fraud by selecting fraud-prone transactions for review on a regular basis. SSA has an audit\n    trail system that can identify individuals who have accessed or processed specific records.\n    This system can identify suspected problems and support investigation of these problems;\n\xe2\x80\xa2   All employees with access to SSA systems are required to sign an annual acknowledgement\n    of the Agency's sanctions for systems access violations;\n\xe2\x80\xa2   SSA uses firewall technology to protect its network. The technology includes alerts and\n    anomaly detection that identifies suspect activity; and\n\xe2\x80\xa2   SSA monitors its network 24 hours a day, 365 days a year.\n\nAdditionally, SSA has many on-going initiatives and new projects to further security awareness\nincluding:\n\n\xe2\x80\xa2   The Systems Security Handbook is available to all employees on SSA\xe2\x80\x99s Intranet;\n\xe2\x80\xa2   SSA\xe2\x80\x99s Intranet also has a variety of information for users of SSA systems including virus\n    alerts and descriptions, listings of security officers and contacts, and links to other security\n    web sites;\n\xe2\x80\xa2   Security training for all new employees and new supervisors;\n\xe2\x80\xa2   Risk/management training for all SSA systems managers and security personnel;\n\xe2\x80\xa2   Hosting security and anti-fraud conferences, as well as participation in numerous security\n    conferences/symposiums hosted by other organizations;\n\xe2\x80\xa2   Producing desk-to-desk security alerts; and\n\xe2\x80\xa2   Certification training for SSA security professionals.\n\x0cSSA established the Division of Systems Security and Program Integrity within its Office of\nOperations to enhance its security and integrity network and provide a focal point to address\nsecurity issues. The Office of Operations also established Centers for Security and Integrity\nwithin each region and the Office of Central Operations to provide the proper level of focus on\nsecurity and integrity issues nationwide.\n\nSSA Needs to Continue to Address this Challenge\n\nStrong systems security and controls are essential to protecting SSA\xe2\x80\x99s critical information\ninfrastructure. SSA\xe2\x80\x99s current information security challenge is to understand system\nvulnerabilities and how to mitigate them. By improving systems security and controls, SSA will\nbe able to use current and future technology more effectively to fulfill the ublic\xe2\x80\x99s needs.\n\nTo better protect its systems and the information contained within them, SSA should centralize all\nof its systems security management structure under the Chief Information Officer (CIO) to\ncomply with the Government Information Security Reform Act (GISRA) and other laws to ensure\nall key security components responsible for agencywide security, policy, and administration\nreport directly to the CIO. Currently, these functions are spread across several components within\nSSA.\n\nGISRA requires each Agency to develop and implement an agencywide information security plan\nfor its assets and operations, and requires the OIG to determine the efficiency and effectiveness of\nthe overall security program and practices. SSA has developed and implemented an agency-wide\ninformation security plan for its assets and operations. Our assessment of SSA's compliance with\nGISRA concluded that SSA generally meets the requirements of GISRA; however, there are\nopportunities for the Agency to strengthen its information security framework to ensure full\ncompliance with GISRA and the information security-related laws and regulations that provide\nthe foundation for GISRA.\n\nOur work to date has noted other control weaknesses, including:\n\n\xe2\x80\xa2   SSA needs to perform background checks on SSA employees and contractors to protect its\n    most sensitive data;\n\xe2\x80\xa2   SSA needs to limit employee access to those on a need to know basis;\n\xe2\x80\xa2   SSA needs to implement more stringent physical security measures at all SSA facilities so its\n    most valuable asset, its human capital, is properly protected;\n\xe2\x80\xa2   SSA needs to develop performance measures to protect its critical physical assets, and con-\n    tinue to perform risk and possibly vulnerability assessments; and\n\xe2\x80\xa2   SSA needs to strengthen its information security framework to ensure full compliance with\n    GISRA. Specifically, SSA needs to (1) have specific security performance measures,\n    (2) evaluate all of its critical assets, (3) globally track information technology (IT) security\n    training by its security staff, and (4) itemize IT security costs by projects.\n\x0c"